Overview

overview

10

Static

static

f0a16b0224...c2.exe

windows7_x64

10

f0a16b0224...c2.exe

windows10_x64

10

Resubmissions

01-04-2021 07:33

210401-4vzyxjk6va 10

30-03-2021 13:24

210330-12ql9t48ts 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-04-2021 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2.exe

  • Size

    433KB

  • MD5

    177a571d7c6a6e4592c60a78b574fe0e

  • SHA1

    7f1b49c2946a9a036cf60e25e1a8452f6237a57d

  • SHA256

    f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2

  • SHA512

    ccd0329bbcfb365f009678d7e8e7f5cf91547d25898f878bb44c313103be7962a2f0832c5a76b4dea1cdbf86b58e5f7b0fb160bb4160d15cd3de65fa6505c91c

Score
10/10
sodinokibi5750ransomwarespywarestealer

Malware Config

Extracted

Path

C:\76r5gs0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 76r5gs0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/250294D53AEAEDEC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/250294D53AEAEDEC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Tz//FtaE8pzxen/cvZZaaCOY+Y1zrLhiZVoZF3VQ0TY5ZXRVejdBw7XPn2NXjaGQ 91hvX5EYNzesuWKYp/my1y6k6pOLS8QF+Sx0ahF2an1cTxZaccfyk2BMO7w7rYfM 4mACZsTYlCbYqNxCgNxrLqxnri5zhh4zgyhCjIt7AUF0Zd4i9Y8oh2pyShqwjZvj EVeToCDdX00j3N/ZMUrO5q69Q6OLMHdjq/7hXXj8ZK6oYENkV01NlMm4Z08PhcFJ Ozngnc25BnqdO+y8MBEcGBf6qG04Cy8sW60b2oy5GOW1aLMQUHvAdMV0AqNEwKBR Rr7/cnPU5Uc3vxwmkQ9/STXDUMZ717KAv/0Mz7dfFWHr3BjsKssXi1nKtXbgEGHj A3Op4TSmnpQUPr9wkTp6SkozTuDGxtxKZThrouSqh273KOcgb3fZlVwqDiyIU3Rz wKYd8DIKWHelce3fgFxJ75acksfdPy3OtoyiIjDncaURqrGaEChm3D5esEfQ+pQg l0+CTnrrIU3JfCUn6qSgS4Bir7RCV+Ipr1y6zKzfTdD56uqs4QoIzSZftoxQaJgK O5hO1QQ7jJuMlDVZj5du8iwivXWxqGIo+yXbM8NBl85gYQ+yVP6x0+QhSHmHhzf7 Btte8RkZOIc/bV4BqZvWur65ix4sU/ccz05dV+Uq+AW33FC90Tkc0NKzSPEDI47a JgvTDL2mfR7Is728LN8QPgQACtuCgrtmUaWggoWOqWe/eJ1J7a0/6DHH7S3Bwv5n JuIhyHA6tUNch9Nahcs+p72+n9bBoe9U3qVDmUpjAdXS63DVF7NAWB0FsdcWrTqc S98WB47xwm1HjNm0RrKXd5eKOCcz9jgiRVqQPRR8axusY48ZM1/wQBfS2S1+MxE3 PNgUtUqie8Q6JnIu9C8/7A6Cv5gfysxXWLILIVAwGQgIpiXmrHNAiB7AYtg5j9Ha 9O0Krcw1xDNu9Gpd0HnOL5MzWn09jAVmytZkXEbsw8W7tIdqXs6YuBVENLL0KFtM qYDFgsNSoS+HrTg8PLthORrkObLEw/HILWAYMTKKSYisESqvwKxSpnKvBPf9C27X wpbfbE9WWAKoETS59m9+8NMj44I2T6N7/G/kCRMeB/Rxsa5jz+IUAiGS Extension name: 76r5gs0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/250294D53AEAEDEC

http://decryptor.top/250294D53AEAEDEC

Extracted

Family

sodinokibi

Botnet

5

Campaign

750

C2

duthler.nl

test-teleachat.fr

powershell.su

gbk-tp1.de

theatre-embellie.fr

awag-blog.de

bundan.com

dnqa.co.uk

lattalvor.com

funworx.de

premiumweb.com.ua:443

slideevents.be

housesofwa.com

rossomattonecase.it

tramadolhealth.com

rentingwell.com

thepixelfairy.com

rozmata.com

nvisionsigns.com

fire-space.com
Attributes
  • net

    true

  • pid

    5

  • prc

    xfssvccon

    ocomm

    ocssd

    visio

    isqlplussvc

    mspub

    onenote

    sqbcoreservice

    synctime

    msaccess

    steam

    dbsnmp

    mydesktopqos

    outlook

    excel

    thebat

    tbirdconfig

    thunderbird

    oracle

    powerpnt

    ocautoupds

    wordpa

    winword

    encsvc

    dbeng50

    sql

    infopath

    firefox

    mydesktopservice

    agntsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    750

  • svc

    sql

    sophos

    svc$

    veeam

    memtas

    backup

    vss

    mepocs

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2.exe
    "C:\Users\Admin\AppData\Local\Temp\f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:3216
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:940
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:388

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/812-2-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/812-3-0x00000000001D0000-0x00000000001DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/812-4-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/812-5-0x00000000006B0000-0x00000000006B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/812-6-0x00000000006C0000-0x00000000006C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/812-7-0x00000000006D0000-0x00000000006D6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1148-8-0x0000000000000000-mapping.dmp
      Download
    • memory/3216-9-0x0000000000000000-mapping.dmp
      Download